Initial draft of privilege escalation policy

Adam Williamson awilliam at redhat.com
Wed Jan 20 18:06:01 UTC 2010 

On Wed, 2010-01-20 at 12:15 -0500, James Laska wrote:

> > > Other sections: I considered having a 'suggested compliance'
> section,
> > > which would explain the preferred way of implementing
> authorization
> > > (PolicyKit), and an 'enforcement' section, which would outline
> that QA
> > > will test for compliance with the policy. But I'm not sure if
> they'd be
> > > appropriate. What does everyone think?
> 
> re: enforcement ... not a bad idea.  We can certainly work those
> backlinks in once we have some test documentation available.

OK, I'll add that to the next draft.

> > This does not seem right. While we want a standard, unprivileged
> user to
> > not be able to do these things, we very much want to define an
> > 'Administrator' role that can be assigned to users other than root
> and
> > that will enable them to do many of these things by just
> authenticating
> > as themselves, not as root. 
> 
> How does this work now?  I'm familiar with prompting for the users
> password (not root) even if that user is in a special Administrator
> group.

It's just not been implemented yet. PolicyKit certainly allows for this
level of flexibility, though, and the desktop team plan to use it, as
Matthias says. An 'administrators' group will be defined which can do
quite a lot of the things that are restricted by this policy, and you'll
be able to add user accounts to it. Those users will be able to perform
those actions either with no additional authorization or by
authenticating as themselves (rather than root). This isn't at all
implemented yet, though, even in Rawhide.

> > I don't see how a Fedora policy can apply to non-packaged resources;
> > other than the fact that those resources will be subject to normal
> > access control (e.g. file permissions).
> 
> re: non-packaged resources, does this apply to things you setup on the
> system after install (printers, package repositories, downloaded
> package
> metadata)?

No, what it means I explained in another reply :)

> > > * Write to system logs (with the exception that the 'cause to be
> > > performed' provision is waived in this case)
> > 
> > Huh ? The mere fact of me logging in will cause system logs to be
> > written...
> 
> The exception noted above about 'cause to be performed' seems to
> capture
> system log writes (/var/log/{secure,messages,Xorg}).  What do you
> define
> as system logs?

I was being hand-wavy. :) Spot's blog says 'anything in /var/log', which
isn't a bad definition, I guess. Can you think of anything better?
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

More information about the test mailing list